H3C Password Contro

1.3.2 组网需求
如图1所示，管理员Admin登录到Switch上进行密码管理相关配置，具体需求如下
· 全局密码管理策略：用户2次登录失败Switch后就永久禁止登录；密码老化时间为30天；允许用户进行密码更新的最小时间间隔为36小时；密码过期后60天内允许登录5次；用户帐号的闲置时间为30天；不允许密码中包含用户名或者字符顺序颠倒的用户名；不允许密码中包含连续三个或以上相同字符。
· Host A为采用本地认证的Telnet用户，用户名为telnet-user，登录到设备后的用户角色为level-0，配置其密码管理策略为：最小密码长度为20个字符，密码元素的最少组合类型为4种，至少要包含每种元素的个数为4个。
· Host B为采用本地认证的FTP用户，用户名为ftp-user，登录到设备后的用户角色为level-9，配置其密码管理策略为：最小密码长度为24个字符，密码元素的最少组合类型为4种，至少要包含每种元素的个数为5个，密码老化时间为1天。
图1 PassWord Control典型组网图

1.3.3 配置注意事项
· 对于FTP用户，密码老化后，只能由管理员修改FTP用户的密码；对于Telnet、ssh、Terminal（通过Console口登录设备）用户可自行修改密码。
· 使能全局密码管理功能后，设备管理类本地用户密码的配置将不被显示，即无法通过相应的display命令查看到设备管理类本地用户密码的配置。
1.3.4 配置步骤

<Switch> system-view
[Switch] telnet server enable

[Switch] ftp server enable

[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] protocol inbound all
[Switch-ui-vty0-15] quit

[Switch] password-control enable

[Switch] password-control login-attempt 2 exceed lock

[Switch] password-control aging 30

[Switch] password-control update-interval 36

[Switch] password-control expired-user-login delay 60 times 5

[Switch] password-control login idle-time 30

[Switch] password-control complexity user-name check

[Switch] password-control complexity same-character check

[Switch] local-user telnet-user class manage
New local user added.

[Switch-luser-manage-telnet-user] service-type telnet

[Switch-luser-manage-telnet-user] undo authorization-attribute user-role network-operator
[Switch-luser-manage-telnet-user] authorization-attribute user-role level-0

[Switch-luser-manage-telnet-user] password-control length 20

[Switch-luser-manage-telnet-user] password-control composition type-number 4 type-length 4
[Switch-luser-manage-telnet-user] quit

[Switch] local-user ftp-user class manage
New local user added.

[Switch-luser-manage-ftp-user] service-type ftp

[Switch-luser-manage-ftp-user] undo authorization-attribute user-role network-operator
[Switch-luser-manage-ftp-user] authorization-attribute user-role level-9

[Switch-luser-manage-ftp-user] password-control length 24

[Switch-luser-manage-ftp-user] password-control composition type-number 4 type-length 5

[Switch-luser-manage-ftp-user] password-control aging 1
[Switch-luser-manage-ftp-user] quit
1.3.5 验证配置

<Switch> display password-control
Global password control configurations:
Password control: Enabled
Password aging: Enabled (30 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history records:4)
Early notice on password expiration: 7 days
Maximum login attempts: 2
Action for exceeding login attempts: Lock
Minimum interval between two updates:36 hours
User account idle time: 30 days
Logins with aged password: 5 times in 60 days
Password complexity: Enabled (username checking)
Disabled (repeated characters checking)

<Switch> system-view
[Switch] local-user telnet-user class manage
[Switch-luser-manage-telnet-user] display this
#
local-user telnet-user class manage
service-type telnet
authorization-attribute user-role level-0
password-control length 20
password-control composition type-number 4 type-length 4
#
return
[Switch-luser-manage-telnet-user] quit
[Switch] local-user ftp-user class manage
[Switch-luser-manage-ftp-user] display this
#
local-user ftp-user class manage
service-type ftp
authorization-attribute user-role level-9
password-control aging 1
password-control length 24
password-control composition type-number 4 type-length 5
#
return

[Switch] local-user telnet-user class manage
[Switch-luser-manage-telnet-user] password
Password:
Confirm :
Updating user infORMation. Please wait ... ...
[Switch-luser-manage-telnet-user] quit

[Switch] local-user ftp-user class manage
[Switch-luser-manage-ftp-user] password
Password:
Confirm :
Updating user information. Please wait ... ...
[Switch-luser-manage-ftp-user] quit
配置成功后，Telnet用户“telnet-user”和FTP用户“ftp-user”，使用符合密码管理策略的密码可登录到Switch上，并分别具有角色Level-0和Level-9的权限。
1.3.6 配置文件
#
ftp server enable
#
telnet server enable
#
user-interface vty 0 15
authentication-mode scheme
user-role network-admin
user-role network-operator
#
password-control enable
password-control aging 30
password-control login-attempt 2 exceed lock
password-control update-interval 36
password-control login idle-time 30
password-control expired-user-login delay 60 times 5
password-control complexity user-name check
password-control complexity same-character check
#
local-user ftp-user class manage
service-type ftp
authorization-attribute user-role level-9
password-control aging 1
password-control length 24
password-control composition type-number 4 type-length 5
#
local-user telnet-user class manage
service-type telnet
authorization-attribute user-role level-0
password-control length 20
password-control composition type-number 4 type-length 4
#